5 minute call disconnect through H.323 gateway...

Unanswered Question
May 8th, 2007

Hi Everyone,

We've been experiencing a 5 minute disconnect on calls coming into an H.323 gateway. The gateway is remote to the CallManager (across a VPN link) connected by Sonicwall firewalls. All else works fine internally (between sites), and outbound calls (through the gateway) are good too. I think this issue might be due to a TCP session termination problem by the Sonicwalls, but searching the firewall GUI has not amounted to much. Does anyone have any ideas or expereinced a similar problem?

Thanks in advance.

Dennis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gogasca Tue, 05/08/2007 - 18:39

Hi Dennis,

Hope you are fine, normally yes, this problems relates to VPN disconnecting the call.

You may gather sniffer trace to confirm that TCP RST is coming from the SOnicWall and open a case with them so they can provide u a solution, or change to Cisco hehe :)

dmorassut-sbi Wed, 05/09/2007 - 06:18

Thanks for your thoughts. I will open a case with Sonicwall on the matter. And yes, I am trying to convince management that a couple of PIX's would be a better solution.

Thanks,

Dennis.

dmorassut-sbi Wed, 08/20/2008 - 09:29

My solution in the end (after much time spent by 3 senior level techs) was to simply replace the Sonicwall firewalls with two ASA 5505 firewalls. This solved the 5 minute TCP session disconnects, sporadic one way audio issues, and several other VPN related concerns. In hind sight one thing I did not try was to (if possible) build a specific permit rule for the voice session control traffic and extend the TCP timeout well beyond 5 minutes on just that one rule. It might be worth a try.

Kind Regards,

Dennis.

dezoconnor Thu, 08/21/2008 - 00:45

Hind sight is a terrible thing! We had a similar issue on our 6509's using a FWSM. The problem we identified related to truncating SCCP packets on a single FWSM Firewall instance and also session timeouts on a h.323 (h.245) singnaling conversation where 1 leg of the conversation route via the firewall instance. There is a global timer set to 5 minutes which when timed out would drop the call. Disabling the timer seemed to be the only resolution.

dmorassut-sbi Thu, 08/21/2008 - 07:42

I know what you mean! In our case, we did extend global TCP timeout to well beyond 5 minutes (I recall it was to around 2 hours) thinking that most calls would fall under that duration. The undesired result was that the Sonicwall firewall did crash because its TCP tracking state table became too large. In the end, replacing the firewalls in the path to ASA 5505s was the best solution, and saved on more expensive man hours and down time.

Dennis.

Actions

This Discussion